showker Posted November 24, 2007 Share Posted November 24, 2007 I would sincerely appreciate it if someone could reply with a link to an online chart that shows the ASCII equivalents for email encoded with "equal" characters. ("=") Quite often the "=" in URLs is "=3D" and periods "=2F" But I haven't been able to find a chart anywhere that will show me the other characters. What is that called? SAMPLE: > =C3=CE=D1=D3=C4=C0=D0=D1=D2=C2=C5=CD=CD=CE=C3=CE > =C7=C0=CA=C0=C7=C0<BR>=CF=F0=E0=EA=F2=E8=F7=E5=F1=EA=E8=E5 > =E7=ED=E0=ED=E8=FF<BR>=CE=F2=E2=E5=F2=FB =ED=E0 =E2=F1=E5 > =C2=E0=F8=E8 =E2=EE=EF=F0=EE=F1=FB<BR> > =C2 =EA=E0=F7=E5=F1=F2=E2=E5 =F0=E0=E7=E4=E0=F2=EE=F7=ED=EE=E3=EE > =EC=E0=F2=E5=F0=E8=E0=EB=E0 - > =E0=E2=F2=EE=F0=F1=EA=E8=E5 =F0=E0=E7=F0=E0=E1=EE=F2=EA=E8 > <BR> END SAMPLE. Can someone explain ??? Thanks Fred Link to comment Share on other sites More sharing options...
rconner Posted November 24, 2007 Share Posted November 24, 2007 But I haven't been able to find a chart anywhere that will show me the other characters. What is that called? It is called MIME quoted-printable encoding. It is often used in mail bodies to represent text in non-ASCII character sets. To encode a byte value, QP uses the "=" followed by the hex value of the byte. As you note, "=3D" is the encoding for the "=" itself. Because most of the byte values in your quote are abvove 0x7f (decimal 127), they are not ASCII and therefore probably in some foreign character set, so using an ASCII chart won't be helpful. If you want to convert this to something that you can read, you would have to find out first what character set it is composed in. This is usually specified in the "charset=" MIME statement in the packet. The best thing to do with this might be to view the raw packet in a web browser (e.g., using the preview link of a SpamCop page), and then force the browser to use the character set specified in the "charset" field; this should decode the QP and also supply the correct glyphs (characters) for the display. I have some further information on my website at http://www.rickconner.net/spamweb/pop-expose-body.html. Hope this is helpful, -- rick On edit: I left a step out of the process described above, so I'm striking it out. In fact, you will first need to use some sort of tool to convert the "=nn" to the corresponding byte values. I have one that I use on my local computer, but it is hard to find one online. There is http://www.toastedspam.com/decodeqp, but I am not convinced that it works well with eight-bit characters (i.e., foreign character sets). There are others that you can download and run on your computer locally, try a google for "quoted printable decoder." Once you have the byte values (which may look like "text salad" to you), you can then put them in a plain text file and display them in your web browser, forcing the browser to use the character set in the "charset" tag. The resulting message will almost certainly be in a foreign language (Russian, Chinese, etc.) so you won't get much out of it unless you can read these languages. You can get crude translations from Google etc. Link to comment Share on other sites More sharing options...
Farelf Posted November 24, 2007 Share Posted November 24, 2007 The example is heavily modified - Rick's approach is the way to go but cleaning it up (Wordpad and global replaces) to C3CED1D3C4C0D0D1D2C2C5CDCDCEC3CEC7C0CAC0C7C0 CFF0E0EAF2E8F7E5F1EAE8E5E7EDE0EDE8FF CEF2E2E5F2FB EDE0 E2F1E5C2E0F8E8 E2EEEFF0EEF1FB C2EAE0F7E5F1F2E2E5F0E0E7E4E0F2EEF7EDEEE3EE ECE0F2E5F0E8E0EBE0 E0E2F2EEF0F1EAE8E5F0E0E7F0E0E1EEF2EAE8 and feeding that through Sweet Sixteen gives ÃÎÑÓÄÀÃÑÒÂÅÃÃÎÃÎÇÀÊÀÇÀÃðà êòè÷åñêèåçÃà ÃèÿÎòâåòûÃà âñåÂà øèâîïðîñûÂêà ÷åñòâåðà çäà òî÷Ãîãîìà òåðèà ëà à âòîðñêèåðà çðà áîòêè which is representative of nothing I recognize offhand - maybe a table, something to do with a character set as Rick suggests. Link to comment Share on other sites More sharing options...
rconner Posted November 24, 2007 Share Posted November 24, 2007 nothing I recognize offhand - maybe a table, something to do with a character set as Rick suggests.I tried a couple of cyrillic sets, as these are the ones that turn up most often in my spam. No luck. Maybe Chinese, but I couldn't tell if it worked or not. Perhaps showker can share a tracking link on this message so we can get a better look at the MIME info. -- rick Link to comment Share on other sites More sharing options...
michaelanglo Posted November 25, 2007 Share Posted November 25, 2007 I would sincerely appreciate it if someone could reply with a link to an online chart that shows the ASCII equivalents for email encoded with "equal" characters. ("=") Quite often the "=" in URLs is "=3D" and periods "=2F" If you just want to decode it into whatever 8 bit code it was originally then it's one of the the things that WinZip can do. I did a 'Save As' from my email client, Then rename extension from .eml to .uue, which made it 'owned' by Winzip. Then click on it which make Winzip offer to extract it to a folder you choose as "0001.txt". HTH Link to comment Share on other sites More sharing options...
rconner Posted November 26, 2007 Share Posted November 26, 2007 I did a 'Save As' from my email client, Then rename extension from .eml to .uue, which made it 'owned' by Winzip. Then click on it which make Winzip offer to extract it to a folder you choose as "0001.txt". Thanks, Michaelanglo. I had overlooked this previously. I normally use this technique for saving the MIME attachments (pictures usually) from spams detained by SpamCop, but I tried it out on a Russian spam and it does convert the QP encoding in the body back to normal bytes. If the character set isn't properly identified in the MIME header, you may still have to force it to Cyrillic (or whatever) using the encoding menu of your browser or editor. What I usually do is to save the raw packet from my browser or mail program to a file using a .MIME extension (e.g., "spam.mime") and then double-click it. The built-in decoder in Mac OS X opens this automatically on my home machine, while the Windows version of Stuffit will open it on my work machine. You can also decode the spam using WinZip according to the method you describe. -- rick Link to comment Share on other sites More sharing options...
showker Posted December 1, 2007 Author Share Posted December 1, 2007 So, that brings us to the next question: Are they so stupid they don't realize that the spam is simply unreadable -- and doing nothing but wasting their time and ours???? Is there ANYONE who can read the spam directly in their browser? Link to comment Share on other sites More sharing options...
Farelf Posted December 1, 2007 Share Posted December 1, 2007 ...Is there ANYONE who can read the spam directly in their browser?Hard to tell - I don't usually "read" it, except as "page source" for the purpose of copying and pasting to report (and it then transforms to that hex mush) but I'm reasonably sure the mail client view would show the Cyrillic if I opened one, Mozilla or Outlook. I get real mail with Cyrillic parts and it is no problem to view. Link to comment Share on other sites More sharing options...
rconner Posted December 1, 2007 Share Posted December 1, 2007 Is there ANYONE who can read the spam directly in their browser? Yes, millions of people in Russia (or China, or Korea, or Japan, etc.). All modern browsers & mail programs will decode QP and render it in the indicated character set using an appropriate font as Cyrillic text (or Han or Hangul or Kanji or whatever). If the message made it to your browser or mail program, you too would be able to read it (if you could read these languages). In this case, you are receiving the spam but you are probably not part of the intended audience. spam has become practically a conventional advertising medium in Russia, and many Russians spam indiscriminately for mundane products like kitchen appliances, business training seminars, home improvement services, and the like. Inevitably these spams leak ouside the spammer’s target market in a form of "overspray" (by analogy with "blowback"). I have some more info at my website: http://www.rickconner.net/spamweb/spam_russian.html -- rick Link to comment Share on other sites More sharing options...
showker Posted December 1, 2007 Author Share Posted December 1, 2007 Okay. I use Spamcop's web based email interface, so it's all geek in that program. I use the web based interface because I simply don't want to bring it down to my computer. Rick, You seem to be very knowledgable about all this. I really enjoy your web site and have referenced several items in my Delicious page. Let me ask yet a further question: Would it be illegal for an entity to offer an award for "Proof of Concept" of a botnet that would counter spam IPs and botnets? Seems if it works one way -- it should surely work the other way too. What do you suppose the reaction would be if someone put up --say-- $100,000.00 -- to the first programmer who could successfully accomplish and sustain that? Or, do you think anyone capable of such a feat is already hired out by the criminals, making much more, and not interested? Thanks in advance Link to comment Share on other sites More sharing options...
rconner Posted December 1, 2007 Share Posted December 1, 2007 You seem to be very knowledgable about all this. I really enjoy your web site and have referenced several items in my Delicious page. Thanks! Would it be illegal for an entity to offer an award for "Proof of Concept" of a botnet that would counter spam IPs and botnets? Seems if it works one way -- it should surely work the other way too. Probably it would not be illegal to make such an offer, but those trying to compete for the prize might be led down some shady paths. You seem to have chosen your weapon (i.e., a "white-hat botnet") before examining your target(s); what would you want this botnet to do? Also, the term "botnet" carries a connotation of deliberate, stealthy subversion of computers without the knowledge or consent of those computers' owners. This is clearly against U.S. law, at any rate. It would also be trading abuse for abuse, something that I personally would not favor. The bigger question, however, is whether we could expect a single solution to deal effectively with the sort of diffuse, distributed problem that spam represents. I must invoke my fellow Marylander, H.L. Mencken, who observed that there is a simple solution to every problem -- and it is usually wrong. In my experience, it does not take long for spammers to subvert or evade any blocks that are put in front of them. You may recall the Blue Frog incident. Myself, I thought that Blue Frog was morally defensible (i.e., it was sending "remove messages" that had been explicitly solicited by the spammers) even though if you read through the lines you might have concluded that Blue Frog was trying to DOS-attack the spammers. Nevertheless, Blue Frog was smashed utterly by a sustained DOS-attack apparently from one of the Russian pharma spammers. I don't think that Blue Frog ever posed much of a problem for spammers when it was operating, and certainly poses no problem at all for them right now. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted December 3, 2007 Share Posted December 3, 2007 ...spam has become practically a conventional advertising medium in Russia, and many Russians spam indiscriminately for mundane products like kitchen appliances, business training seminars, home improvement services, and the like. Inevitably these spams leak ouside the spammer’s target market in a form of "overspray" (by analogy with "blowback"). I have some more info at my website: http://www.rickconner.net/spamweb/spam_russian.html And, considering the recent rash of "Help, I'm being blackmailed" posts, it seems a blossoming trade in dodgy lists has ensued with a few of the new entrepreneurs taking that extra step - maybe using spam runs as proof of concept to ensure hits on SC reporters. Just checked out a couple of my recent Cyrillic spams - yes they are perfectly readable to anyone who wants to read spam and yes they are perfectly prosaic and totally mis-directed. Wanting to lease commercial properties in need of rennovation, that sort of thing - telephone contacts given. Link to comment Share on other sites More sharing options...
rconner Posted December 4, 2007 Share Posted December 4, 2007 (...) it seems a blossoming trade in dodgy lists has ensued with a few of the new entrepreneurs taking that extra step - maybe using spam runs as proof of concept to ensure hits on SC reporters.Making protection money by threatening to turn people in to SpamCop...my hat is off to this gent! Then again, I don't usually wear a hat anyway, so this is no big deal. The glass-half-full observation is that being tarred by SpamCop is something that people actually fear...I have this mental picture of all the SC reporters as a pit of rabid curs, with the Simon Legree scammer here suspending the prospective victim over the pit by a slender cord, machete in hand. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted December 4, 2007 Share Posted December 4, 2007 ... Making protection money by threatening to turn people in to SpamCop...my hat is off to this gent! Then again, I don't usually wear a hat anyway, so this is no big deal. ...Heh, a self-proclaimed white knight, a disgruntled player or just a clueless little thug trying to make money out of the competitors he can't outperform, who knows? Fortunately for him it probably doesn't matter, the heavy mob are unlikely to mistake him for a real threat. Of course they might just take exception to the impudence ... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.